nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 05:28:15 -05:00
Code

allow configurable ssl protocols and ciphersuites

Browse Source
This commit is contained in:
Kyle Spearrin 2018-08-31 12:11:44 -04:00
parent d43d0f1446
commit d4c35a98b7
3 changed files with 33 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
util/Setup/Context.cs
View File

@ -150,6 +150,7 @@ namespace Bit.Setup
{
[Description("Note: After making changes to this file you need to run the `rebuild` or `update`\n" +
"command for them to be applied.\n\n" +
"Full URL for accessing the installation from a browser. (Required)")]
public string Url { get; set; } = "https://localhost";
@ -180,6 +181,14 @@ namespace Bit.Setup
[Description("Configure Nginx for SSL.")]
public bool Ssl { get; set; } = true;
[Description("SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.\n" +
"Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS")]
public string SslVersions { get; set; }
[Description("SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.\n" +
"Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS")]
public string SslCiphersuites { get; set; }
[Description("Installation uses a managed Let's Encrypt certificate.")]
public bool SslManagedLetsEncrypt { get; set; }

28
util/Setup/NginxConfigBuilder.cs
View File

@ -6,10 +6,6 @@ namespace Bit.Setup
public class NginxConfigBuilder
{
private const string ConfFile = "/bitwarden/nginx/default.conf";
private const string SslCiphers =
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:" +
"ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" +
"ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
private const string ContentSecurityPolicy =
"default-src 'self'; style-src 'self' 'unsafe-inline'; " +
"img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
@ -98,6 +94,27 @@ namespace Bit.Setup
DiffieHellmanPath = context.Config.SslDiffieHellmanPath;
}
}
if(!string.IsNullOrWhiteSpace(context.Config.SslCiphersuites))
{
SslCiphers = context.Config.SslCiphersuites;
}
else
{
SslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" +
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:" +
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" +
"ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
}
if(!string.IsNullOrWhiteSpace(context.Config.SslVersions))
{
SslProtocols = context.Config.SslVersions;
}
else
{
SslProtocols = "TLSv1.2";
}
}
public bool Ssl { get; set; }
@ -107,8 +124,9 @@ namespace Bit.Setup
public string KeyPath { get; set; }
public string CaPath { get; set; }
public string DiffieHellmanPath { get; set; }
public string SslCiphers { get; set; }
public string SslProtocols { get; set; }
public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain);
public string SslCiphers => NginxConfigBuilder.SslCiphers;
}
}
}

4
util/Setup/Templates/NginxConfig.hbs
View File

@ -28,9 +28,7 @@ server {
ssl_dhparam {{{DiffieHellmanPath}}};
{{/if}}
# SSL protocol TLSv1.2 is allowed. Disabled SSLv3, TLSv1, and TLSv1.1
ssl_protocols TLSv1.2;
# Enable most secure cipher suites only.
ssl_protocols {{{SslProtocols}}};
ssl_ciphers "{{{SslCiphers}}}";
# Enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;